Ok, well not really. I’ve never once intentionally sent any spam emails before, and none of my websites collect emails or even send any out…. or so I thought that’s what they were doing.
Years ago (we’re talking 1999 here) I headed over to hotscripts and grabbed a generic form email script. This particular script was written by Dennis of DarkMix.net (which no longer exists anymore, so I assume Dennis had the same problem)
The problem was with the following lines of code that I just seemingly noticed:
$headers = "From: $Name <$Email> \n";
$headers .= "Reply-To: $Email\n";
$headers .= "X-Mailer: Darkmix Mail Sender\n";
$headers .= "X-Mailer-Version: 1.1";
I’m sure many of you can spot the problem. It’s very easy to add whatever I want to that header by entering a creative email address. Worse, this code didn’t use the $_POST or $_GET variables either. It relied on register globals.
Anyway, I caught this problem well over 6 months ago, and the site it was on isn’t even on the internet anymore. I was just reminded of it while perusing some old legacy code at my company and remembered that I’d forgotten to blog about this. All in all it only sent a few emails before I noticed something was funny. No harm no foul I suppose.
Let this be a lesson to those who release free code on hotscripts, as well as to those who blindly use code found from such repositories.
About Ryan Jones
Recent Comments